A better way to dump .NET assembly packed by a native stub

[wwh1004 44]

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.

Best wish.

Edited June 23, 2019 by wwh1004 (see edit history)

[Keosoft90 0]

@wwh1004 : can you add 2 tools to here ?

[wwh1004 44]

4 hours ago, Keosoft90 said:

@wwh1004 : can you add 2 tools to here ?

https://github.com/x64dbg/x64dbg/releases

https://github.com/wwh1004/ExtremeDumper/releases

[BlackHat 57]

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
But this method I tested and works well which you described.
Very nice Explanation too. Thank you !!! 

[mdj 21]

@wwh1004 please share video on other server i cannot download from pan.baidu

Edited June 25, 2019 by mdj (see edit history)

[kao 2,120]

@mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co
I can upload the second video tomorrow, if you need that too.

@all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.

[mdj 21]

@kao thank you very very much for this if you have time please upload second video 

Best Regards

[kao 2,120]

[.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM

[john fast 0]

@kao can you provide me assembly rebuilder?

[john fast 0]

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

[Sangavi 21]

2 hours ago, john fast said:

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

[john fast 0]

Yes you are right.

[Prab 4]

This might help https://github.com/ZrCulillo/JIT-Freezer

[thanhthuanbui0610@gmail.co 0]

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

[tungtruong20xx 0]

On 8/23/2020 at 2:55 PM, thanhthuanbui0610@gmail.co said:

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết  

[huynhchicong91 0]

On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết  

bạn unpack dc netprotect v1.0 ko ?